TISAX®: Requirements & Certification Process Explained!
With TISAX®, the German car industry has unified IT security requirements across their supply chain. Any suppliers who want to do business with participating OEMs need to pass TISAX® certification. Read on to learn about TISAX® requirements and the certification process.
TISAX® is a registered trademark of the ENX association. tenfold has no business relationship with the ENX association. The use of the name TISAX® in this article is strictly for informative purposes and does not imply any statement by the trademark holder about the suitability of tenfold’s product or services.
What Is TISAX®?
TISAX® (Trusted Information Security Assessment Exchange) is an IT security standard created by the German automotive industry. To protect critical data across the supply chain, suppliers and contractors who want to work with participating manufacturers or OEMs need to complete TISAX® certification to prove that they effectively safeguard vehicle blueprints, prototypes and specs.
TISAX® is based on ISO 27001, an international norm used to certify information security management systems (ISMS). An ISMS is a body of documents that establishes overall security goals as well as individual safeguards. It also designates who is responsible for ensuring that safeguards are implemented and policies are followed, enshrining IT security at every level of the organization.
However, in addition to the normal requirements of ISO 27001, TISAX® comes with additional requirements for data privacy and the confidentiality of proprietary vehicle data.
Important TISAX® resources:
While German car producers use the TISAX® standard, other countries and manufacturers may have their own certification schemes such as TPISR in the US.
Is TISAX® Mandatory?
Although TISAX® is not technically mandatory, it is a must-have for anyone who wants to do business in the car industry and work with participating manufacturers. So in practice, there is no way around completing TISAX® certification if you want to win OEM contracts or maintain existing business relationships.
TISAX®: Key Terms & Concepts
To successfully prepare for TISAX® certification, it’s important to understand these key terms related to the audit process.
Assessment Objective: Not every TISAX® requirement will be relevant to your business. The assessment objective determines which sections of the criteria catalogue you are tested against, such as handling confidential data or safeguarding vehicle prototypes.
Label: Depending on which assessment objective you choose, you will receive the corresponding label once you complete your audit. There are a total of 10 different TISAX® labels available, such as Confidential or Proto Vehicles.
Assessment Level: The assessment level determines the audit process and is based on your assessment objective. Level 1 is a self-assessment, which is not used in official audits. Level 2 includes remote interviews and a thorough check of security documents. Level 3 audits are conducted on-site with staff interviews and a walkthrough of relevant areas.
Assessment Scope: The assessment scope determines which areas of your organization are audited. It must include all relevant business processes and information systems. However, you can set multiple different scopes if you plan to complete different assessment objectives at different locations.
Maturity Level: TISAX® uses maturity levels on a scale from 0 to 5 to measure whether you have fulfilled an information security objective. For each security objective in the criteria catalogue, you must achieve a maturity level of three or higher.
TISAX® Certification Process
TISAX® certification takes place in several steps, from registering through the official ENX portal to completing your audits and receiving the final assessment result. The certification process itself only takes a few months to complete.
The bigger factor, however, is how long it will take to set up your ISMS. TISAX® preparation can vary greatly from organization to organization. If you completed similar certifications like ISO 27001 in the past and have an existing ISMS to build upon, it will give you a leg up in getting ready.
The step-by-step process to completing TISAX® certification:
Prepare: Research TISAX® requirements, set up your ISMS, select an assessment objective
Register: Sign up for TISAX® through the official ENX Portal
Select an Audit Provider: Choose an audit provider, schedule a kick-off meeting and audit dates
Stage 1 Audit: Review of your submitted self-assessment and ISMS documents
Stage 2 Audit: Detailed document audit, interviews, on-site walkthrough (depending on assessment level)
Corrective Action: If necessary, submit a corrective action plan to address audit findings
Final Assessment Result: You receive your final assessment report and can share your results through the TISAX® exchange platform
Frequently Asked Questions
There is no time limit to the TISAX® certification process. Even once you have registered, selected an audit provider and had your kick-off meeting, you can spend as much time as you need to get your ISMS ready. How long this will take depends on the state of your ISMS and whether you’ve completed similar certifications before. Once your audit is complete, you have 9 months to take corrective action before you need to start a new audit instead.
TISAX® certification is valid for three years, starting from when you received your initial assessment results. This start date is used even if you need to complete follow-up audits to pass certification, meaning the duration will be shorter in this case. Unlike ISO 27001, TISAX® has no annual surveillance audits.
The total cost of TISAX® certification consists of the audit itself, any consulting services you use to prepare and, most importantly, the cost of implementing the necessary safeguards. Depending on the scope and complexity of your IT, the total cost of completing TISAX® certification can range from 10,000$ to 200,000$.
TISAX® differentiates between four types of findings. If you meet all requirements, your auditor makes observations or notes room for improvement, you will receive the assessment result conform. If your audit reveals minor non-conformities, you can receive a temporary TISAX® label if you submit a corrective action plan. Major non-conformities will prevent you from receiving your TISAX® label until addressed.
TISAX® assessment results can be shared by granting other participants access through the TISAX® exchange platform. This allows you to either share the label you have received or detailed audit results, down to maturity levels for individual objectives. Information about your TISAX® certification may not be shared outside the exchange platform, meaning potential business partners will have to register in order to access it. You can, however, publicly mention your TISAX® efforts without going into detail.
As part of their TISAX® certification, automotive suppliers need to ensure that an appropriate level of IT security is maintained while collaborating with their own partners and contractors. This requires risk assessments and passing on contractual obligations. To continue their business relationships under these circumstances, Tier 2 and Tier 3 suppliers will increasingly have to demonstrate TISAX® compliance as well.
TISAX® Requirements
In order to pass TISAX®, your business must create and run an information security management system (ISMS) based on the ISO 27001 standard. Additionally, TISAX® contains a number of industry-specific requirements targeted at the automotive sector. These focus on protecting proprietary vehicle and parts data during the manufacturing process, press events and other stages of the supply chain.
TISAX® requirements consist of:
ISO 27001 requirements
Organizational Controls
People Controls
Physical Controls
Technological Controls
Continuous Improvement
Management Responsibility
TISAX®-specific requirements
Data Protection
Prototype Protection
Managing Vehicles and Parts
Confidentiality Agreements
Protection During Public Events
The goal of TISAX® is to manage all risks to the integrity, availability and confidentiality of information shared by OEMs with their suppliers. This includes threats such as data breaches and cyber attacks as well as unauthorized access within the organization such as insider threats and employee data theft.
ISO 27001: Access Governance Requirements
Everything you need to know about the IAM requirements of ISO 27001.
TISAX® Assessment Objectives
A detailed list of TISAX® requirements is available in the criteria catalogue Information Security Assessment (VDA ISA). Which sections of the catalogue are relevant to your organization depends on the assessment objective you plan to complete. There are a total of 10 objectives to choose from.
| Assessment Objective | Requirements | Assessment Level (AL) |
|---|---|---|
| Confidential | Information Security tab: must, should and high protection needs (if marked C for confidentiality) | Level 2 |
| Strictly confidential | Information Security tab: must, should, high and very high protection needs (if marked C for confidentiality) | Level 3 |
| High availability | Information Security tab: must, should and high protection needs (if marked A for availability) | Level 2 |
| Very high availability | Information Security tab: must, should, high and very high protection needs (if marked A for availability) | Level 3 |
| Proto parts | Prototype Protection tab: must and should, chapters 8.1, 8.2 and 8.3 | Level 3 |
| Proto vehicles | Prototype Protection tab: must, should and additional requirements, chapters 8.1, 8.2 and 8.3 | Level 3 |
| Test vehicles | Prototype Protection tab: must and should, chapters 8.2, 8.3 and 8.4 | Level 2 |
| Proto events | Prototype Protection tab: must and should, chapters 8.2, 8.3 and 8.5 | Level 2 |
| Data | Information Security tab: must, should and high protection needs (if marked C for confidentiality) Data Protection tab: must requirements | Level 2 |
| Special Data | Information Security tab: must, should, high and very protection needs (if marked C for confidentiality) Data Protection tab: must requirements | Level 3 |
TISAX® Maturity Levels
To meet a TISAX® requirement, you must achieve a maturity level of 3 or higher for the security objective in question. The maturity model measures how successfully you have implemented requirements on a scale from 0 to 5.
Maturity Level 0, Incomplete: A process does not exist, is not followed or not suitable to achieve the objective.
Maturity Level 1, Performed: A process is followed which is not or insufficiently documented and there is some evidence that it achieves its objective.
Maturity Level 2, Managed: A process achieving its objectives is followed. Process documentation and process implementation evidence are available.
Maturity Level 3, Established: A standard process integrated into the overall system is followed. Dependencies on other processes are documented and suitable interfaces are created. Evidence exists that the process has been used consistently over an extended period.
Maturity Level 4, Predictable: An established process is followed. The effectiveness of the process is continually monitored by collecting key figures. Limit values are defined at which the process is considered to be insufficiently effective and requires adjustment.
Maturity Level 5, Optimizing: A predictable process with continual improvement as a major objective is followed. Improvement is actively advanced by means of dedicated resources.
TISAX® Requires Comprehensive IT-Security
To successfully complete their TISAX® certification, automotive suppliers and contractors need to defend against all manner of IT threats. The framework includes malware protection, vulnerability management, network segmentation, encryption, business continuity management and many more.
Businesses need to cover a wide range of security requirements. This means that to achieve TISAX® certification, you need the right mix of security solutions, tailored to your organization. The field of information security is far too complex for a single product to solve every compliance challenge.
The Role of Identity Governance in TISAX®
As part of its comprehensive approach to IT security, completing TISAX® certification also requires organizations to manage user identities and access rights in order to ensure that only the right people have access to sensitive information such as proprietary vehicle and parts data.
You can find the relevant requirements of TISAX® under Section 4: Identity and Access Management of the VDA ISA (published by ENX). To prepare for this part of your audit, your organization should be able to answer questions such as:
What is the process for creating, updating and removing user accounts?
Are user accounts regularly reviewed?
Are access rights allocated on a least privilege basis?
Are access rights revoked when no longer needed?
Using an automated Identity Governance & Administration solution helps organizations streamline the process of managing user accounts and access rights.
Identity Governance & Administration: Important Features
Identity Governance & Administration (IGA) provides several features that can help your organization meet the requirements listed under Section 4 of the VDA ISA (published by ENX). These are just some of the features to be aware of:
User Lifecycle Management automates the on- and offboarding process by providing each account with the exact set of privileges intended for their job role.
Centralized reporting provides a clear overview of access rights across all IT systems, allowing organizations to identify and remediate unwanted access.
Access Reviews ensure that IT privilege are regularly checked and stay within compliance and security guidelines.